diff --git a/pkg/services/ssosettings/strategies/oauth_strategy.go b/pkg/services/ssosettings/strategies/oauth_strategy.go index 4420902bec2..2e036190686 100644 --- a/pkg/services/ssosettings/strategies/oauth_strategy.go +++ b/pkg/services/ssosettings/strategies/oauth_strategy.go @@ -46,7 +46,7 @@ func (s *OAuthStrategy) loadAllSettings() { } func (s *OAuthStrategy) loadSettingsForProvider(provider string) map[string]any { - section := s.cfg.SectionWithEnvOverrides("auth." + provider) + section := s.cfg.Raw.Section("auth." + provider) return map[string]any{ "client_id": section.Key("client_id").Value(), diff --git a/pkg/services/ssosettings/strategies/oauth_strategy_test.go b/pkg/services/ssosettings/strategies/oauth_strategy_test.go index 378ed5bf66c..258ea41f966 100644 --- a/pkg/services/ssosettings/strategies/oauth_strategy_test.go +++ b/pkg/services/ssosettings/strategies/oauth_strategy_test.go @@ -94,19 +94,7 @@ var ( } ) -func TestGetProviderConfig_EnvVarsOnly(t *testing.T) { - setupEnvVars(t) - - cfg := setting.NewCfg() - strategy := NewOAuthStrategy(cfg) - - result, err := strategy.GetProviderConfig(context.Background(), "generic_oauth") - require.NoError(t, err) - - require.Equal(t, expectedOAuthInfo, result) -} - -func TestGetProviderConfig_IniFileOnly(t *testing.T) { +func TestGetProviderConfig(t *testing.T) { iniFile, err := ini.Load([]byte(iniContent)) require.NoError(t, err) @@ -120,65 +108,3 @@ func TestGetProviderConfig_IniFileOnly(t *testing.T) { require.Equal(t, expectedOAuthInfo, result) } - -func TestGetProviderConfig_EnvVarsOverrideIniFileSettings(t *testing.T) { - t.Setenv("GF_AUTH_GENERIC_OAUTH_ENABLED", "false") - t.Setenv("GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC", "false") - - iniFile, err := ini.Load([]byte(iniContent)) - require.NoError(t, err) - - cfg := setting.NewCfg() - cfg.Raw = iniFile - - strategy := NewOAuthStrategy(cfg) - - result, err := strategy.GetProviderConfig(context.Background(), "generic_oauth") - require.NoError(t, err) - - expectedOAuthInfoWithOverrides := expectedOAuthInfo - expectedOAuthInfoWithOverrides["enabled"] = false - expectedOAuthInfoWithOverrides["skip_org_role_sync"] = false - - require.Equal(t, expectedOAuthInfoWithOverrides, result) -} - -func setupEnvVars(t *testing.T) { - t.Setenv("GF_AUTH_GENERIC_OAUTH_NAME", "OAuth") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ICON", "signin") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ENABLED", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP", "false") - t.Setenv("GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_CLIENT_ID", "test_client_id") - t.Setenv("GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET", "test_client_secret") - t.Setenv("GF_AUTH_GENERIC_OAUTH_SCOPES", "openid, profile, email") - t.Setenv("GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES", "") - t.Setenv("GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME", "email:primary") - t.Setenv("GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH", "email") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH", "role") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH", "groups") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TEAM_IDS_ATTRIBUTE_PATH", "team_ids") - t.Setenv("GF_AUTH_GENERIC_OAUTH_AUTH_URL", "test_auth_url") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TOKEN_URL", "test_token_url") - t.Setenv("GF_AUTH_GENERIC_OAUTH_API_URL", "test_api_url") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TEAMS_URL", "test_teams_url") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS", "domain1.com") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ALLOWED_GROUPS", "") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TLS_CLIENT_CERT", "") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TLS_CLIENT_KEY", "") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TLS_CLIENT_CA", "") - t.Setenv("GF_AUTH_GENERIC_OAUTH_USE_PKCE", "false") - t.Setenv("GF_AUTH_GENERIC_OAUTH_AUTH_STYLE", "inheader") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN", "true") - t.Setenv("GF_AUTH_GENERIC_OAUTH_HOSTED_DOMAIN", "test_hosted_domain") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ALLOWED_ORGANIZATIONS", "org1, org2") - t.Setenv("GF_AUTH_GENERIC_OAUTH_ID_TOKEN_ATTRIBUTE_NAME", "id_token") - t.Setenv("GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH", "login") - t.Setenv("GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH", "name") - t.Setenv("GF_AUTH_GENERIC_OAUTH_TEAM_IDS", "first, second") - t.Setenv("GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL", "test_signout_redirect_url") -} diff --git a/pkg/setting/setting_test.go b/pkg/setting/setting_test.go index 41f8fb139a5..a309211be1d 100644 --- a/pkg/setting/setting_test.go +++ b/pkg/setting/setting_test.go @@ -75,6 +75,19 @@ func TestLoadingSettings(t *testing.T) { require.Equal(t, filepath.Join(cfg.DataPath, "log"), cfg.LogsPath) }) + t.Run("Should be able to expand parameter from environment variables", func(t *testing.T) { + t.Setenv("DEFAULT_IDP_URL", "grafana.com") + t.Setenv("GF_AUTH_GENERIC_OAUTH_AUTH_URL", "${DEFAULT_IDP_URL}/auth") + + cfg := NewCfg() + err := cfg.Load(CommandLineArgs{HomePath: "../../"}) + require.Nil(t, err) + + genericOAuthSection, err := cfg.Raw.GetSection("auth.generic_oauth") + require.NoError(t, err) + require.Equal(t, "grafana.com/auth", genericOAuthSection.Key("auth_url").Value()) + }) + t.Run("Should replace password when defined in environment", func(t *testing.T) { t.Setenv("GF_SECURITY_ADMIN_PASSWORD", "supersecret")